Casual Game Dev

I've received a number of inquiries from individuals about how to get into the game security business and I've asked some industry insiders for their comments.

I thought it would make the most sense to throw the topic open for discussion since I think a lot of my readers have great insider knowledge of security in the games industry.

My sense is that, at the moment at least, there are very few "game security" positions and these are typically found at some of the larger publishers. Many times security responsibilities are tied into network programming or other positions.

As is the case elsewhere, the effectiveness of security is tied to the level of management support.

If you provide comments, I would appreciate that you explain the type of game you are supporting. MMOs do have some level of internal security support (sometimes) and it has more visibility and a very different character than that associated with console titles, casual, skill, advergames, or gambling games.

If you want to provide comments anonymously, send me an email and I will post your comments for you.

Finally, if you are looking to hire someone for a game security job, I would be happy to post any positions here gratis.

Giant Interactive had been running the "crack house" of free-to-play gaming with its (once? still?) immensely popular game ZT Online. In the third quarter, the company moved away from its heavy reliance on purchased items towards steadier playing:

Commenting on the third quarter 2008 results, Yuzhu Shi, Giant's Chairman and Chief Executive Officer, said, "During July of the third quarter, we implemented an adjusted gaming structure for ZT Online and reduced the scope of monetized features in order to emphasize daily consumption rather than in-game promotional items. Though these adjustments resulted in a reduction in our revenue in the third quarter, we remain confident that this strategic decision is an important initiative towards expanding our user base, extending the life-cycle of ZT Online and driving long-term, sustainable growth."

The game has been criticized for driving players to relentlessly buy tons of virtual items (as a businessman, I really like its insane gift boxes which act like slot machines).

It also made money hand over fist.

The numbers are still pretty staggering:

Net revenue was RMB265.20 million or US$39.06 million, a decrease of 34.6% from RMB405.25 million a year ago, mainly on lower online game net revenue, which was adversely impacted by adjustments made to the monetization features within ZT Online. Analysts expected revenues of $63.41 million for the quarter.

Gross profit declined 40.9% year-over-year to RMB212.5 million or US$31.3 million, and gross profit margin fell to 80.1% from 88.8% in the third quarter 2007.

Active paying accounts for online games declined 31.6% to 937 thousand, and average revenue per user dropped 4.4% to RMB282.1. Meanwhile, average concurrent users for online games rose 9% from last year to 543 thousand.

INSANE - average revenue per (paying?) user dropped to just over $41 ... ZT Online is making nearly the same per player as World of Warcraft.... in China!

"Giant Interactive drops after 3Q profit falls", http://www.forbes.com/feeds/ap/2008/11/13/ap5690528.html

"Giant Interactive Q3 profit falls; issues Q4 revenue forecast", http://www.rttnews.com/Content/BreakingNews.aspx?Node=B1&Id=774099%20&Category=Breaking%20News

I've written previously about sport wagering and money laundering as well as problems in professional tennis (see previous articles). Basically, criminals use massive wagers on marginal sporting events to launder money and manipulate the outcomes of the games.

Apparently, professional tennis is not alone in having a growing problem with fixed games. Soccer (Football for everyone outside the US) is also being manipulated by criminal gambling groups (mostly out of Asia, apparently) according to a new book, The Fix.

The Fix: Soccer and Organized Crime


What is especially disturbing about this is that the criminals don't actually have to change the outcome, they just have to manipulate the point spread or other specific game characteristics.

In the (US) football game this weekend, an officiating error apparently cost $10 million in legitimate wagers in Las Vegas and untold millions in online legal wagers and way untold millions in illegal wagers.

The smaller the betting pool (participants, not wagers) and the narrower the event being bet on, the easier it is to manipulate the outcome.

T. Dart (2008), "Match-rigging: football's dark destroyer", http://www.timesonline.co.uk/tol/sport/football/article5119754.ece

"Late blown call miffs Pittsburgh bettors", http://seattletimes.nwsource.com/html/seahawks/2008403943_nfl18.html

SEGA & Sports Interactive have been having problems with the DRM servers for Football Manager 2009. The servers do not seem to scale well and have been subject to a Distributed Denial of Service (DDoS) attack.

The anti-piracy system is from Uniloc.

There is also a printing problem with the license keys (ambiguous characters).

R. Purchese (2008), "DRM still causing FM 2009 headaches", http://www.eurogamer.net/article.php?article_id=309044

Alternate modes of operation: Maintenance mode, reduced mode, administrative mode, test mode, service mode... almost everyone builds these alternate modes of operation into hardware and software systems.

For good reason.

You need to fix, repair, support, update, reconfigure, test your hardware, software, or service.

They are also a great target for attack.

These modes often give enhanced privileges and circumvent standard security features. Modes to support degraded communications or reduced power are there because it is important to ensure a good experience for your customers.

What they shouldn't do is allow your core security systems to be evaded.

Sony's new version of the PSP, the PSP-3000, appears to be vulnerable to a hardware attack accessible through the battery interface.

I suspect Sony did this to allow returned PSPs to be serviced without "cracking the box", but instead they've made it easier for hackers to attack the handheld without "cracking the box" either.

Oops.

The article at MaxConsole (via Destructoid) describes some cryptographic processing, but I suspect that it is not too sophisticated (which is a pity because it would not be hard to make this attack VERY DIFFICULT to implement).

My guess is that someone did something complicated and confused complicated with secure.

Oh, and the attack device costs $29.99 in the US, so it is a bargain.

malloc (2008), "New PSP 3000 hacked - Datel gives the green light to PSP 3000 service mode!", http://www.maxconsole.net/?mode=news&newsid=33861

D. North (2008), "PSP-3000 hackable via service mode and special battery", http://www.destructoid.com/psp-3000-hackable-via-service-mode-and-special-battery-111967.phtml

My book is at the publisher's and getting ready to come out - soon!

You can even pre-order it at Amazon:

Protecting Games: A Security Handbook for Game Developers and Publishers

Here is the Table of Contents:

Introduction
Part 1 – The Protection Game
Chapter 1 – Game Security Overview
Chapter 2 – Thinking Game Protection
Part 2 – Piracy and Used Games
Chapter 3 - Overview - Piracy and Used Games
Chapter 4 - The State of Piracy and Anti-Piracy
Chapter 5 - Distribution Piracy
Chapter 6 - DRM, Licensing, Policies, and Region Coding
Chapter 7 - Console Piracy, Used Games, and Pricing
Chapter 8 - Server Piracy
Chapter 9 - Other Strategies, Tactics, and Thoughts
Chapter 10 - Anti-Piracy Bill of Rights
Chapter 11 - The Piracy Tipping Point
Part 3 – Cheating
Chapter 12 - Overview
Chapter 13 - Cheating 101
Chapter 14 - App Attacks! State, Data, Asset, and Code Vulnerabilities and Countermeasures
Chapter 15 - Bots and Player Aids
Chapter 16 - Network Attacks - Timing Attacks, Standbying, Bridging, and Race Conditions
Chapter 17 - Game Design & Security
Chapter 18 - Case Study: High Score Security
Part 4 - Social Subversion – From Griefing to Gold Farming
Chapter 19 – Overview
Chapter 20 – Competition, Tournaments, and Ranking
Chapter 21 – Griefing and Spam
Chapter 22 - Game Commerce: Virtual Items, Real Money Transactions, Gold Farming, Escorting & Power-Leveling
Chapter 23 - To Ban or Not to Ban? Punishing Wayward Players
Part 5 – The Real World
Chapter 24 – Overview
Chapter 25 – Insider Issues: Code Theft, Data Disclosure, and Fraud
Chapter 26 – Partner Problems
Chapter 27 – Money – Real Transactions, Real Risks
Chapter 28 – More Money – Security, Technical, and Legal Issues
Chapter 5.0 –
Chapter 29 – Identity, Anonymity, and Privacy
Chapter 30 – Protecting Kids from Pedophiles, Stalkers, Cyberbullies, and Marketeers
Chapter 31 – Dancing with Gambling: Skill Games, Contests, Promotions, and Gambling Again
Chapter 32 – Denial of Service, Disasters, Reliability, Availability, and Architecture
Chapter 33 – Scams & Law Enforcement
Chapter 34 - Operations, Incidents, and Incident Response
Chapter 35 - Terrorists
Part 6 - Summary
Chapter 36 - Practical Protection
Glossary
Selected Game Security Incidents

I actually hope that the book will be useful for people beyond the game industry, especially others involved in social networks, new media, entertainment, and, of course, IT security folk.

If you'd like a signed copy, send me an email and I'll work it out.

A great stocking stuffer for the holidays!

If you are thinking about writing a book, here are a couple of personal metrics / comments:

1. Page Production - about 3 pages per day. This is much lower than I thought as I am used to writing about 1 page per hour for shorter term projects (white papers, proposals, and such). Sometimes I produced 10 pages in a day, sometimes none. It is a real marathon. I also wound up with very little reuse from my blog, even though I am covering the same material (which was also a surprise).

2. Detailed Edit Phase - about 20 pages per day. This is working from the various detailed, first read comments that I received as well as my own careful review of what I wrote.

3. Read your book contract carefully. There is space to negotiate, but you need to really understand your contract.

4. It is a labor of love. My "hourly rate" for the book was dismal.

5. Please buy it and I welcome feedback. Hopefully, I'll have a chance to do a "Revised & Expanded" version if there is enough interest. It is written for the general reader, not a security specialist (though I'll get technical when I have too).

Also, it is at least 50 percent less snarky than my blog!

Adam Martin has been on a tear... he posted several very interesting articles yesterday, most notably his interesting analysis on how many people (or identities) are playing online games.

Read it: A. Martin (2008), "More than 1 billion people play online games in 2008 ", http://t-machine.org/index.php/2008/11/18/more-than-1-billion-people-play-online-games-in-2008/

Also an article that hints at the trials and tribulations of building a social network from a large population of identities: "Microsoft turns Live.com into a social network?", http://t-machine.org/index.php/2008/11/18/microsoft-turns-livecom-into-a-social-network/

I smell a business plan in process and funded startup coming soon.

While everyone goes on and on about the glories of User Created Content, there is a bit of a wrench in the works: How to stop inappropriate content and how to stop players from griefing the content takedown system.

One of the trumpeted features of Media Molecule's Little Big Planet is the ability to create levels for the game and share them with other players on Sony's online service.

Just as with Spore's Sporn, no doubt players have worked to create obscene material and, no doubt, routinely infringe on other folks property (copyright and trademark infringements).

Sony has been quite aggressive in taking down material with little justification and no apparent appeal process which seems to be putting a chill on the whole endeavor.

Abusive players are, no doubt, triggering the removal of the content via the service's ability to file a complaint - classic griefing.

Part of the appeal of User Created Content is that it is supposed to be "free" for the host / publisher. Sony is finding that this is not so, especially in a closed game console environment. Moderation is expensive and needs to be carefully designed so that it cannot be easily abused. (The design of these reporting systems requires some thought - Sony does have an inherent advantage in that it can track activities down to the individual PS3 and therefore improve accountability... however, it looks like the Little Big Planet moderation was underdesigned and tested).

O. Good (2008), "LBP Moderation Remains Inscrutable, Unaccountable", http://kotaku.com/5089481/lbp-moderation-remains-inscrutable-unaccountable

The new indie game, World of Goo, is reporting a 90 percent piracy rate with no DRM. This is essentially identical to the previously reported 92 percent piracy rate for Ricochet (with DRM).

Interesting.

The metrics used are based on IP addresses vs. total sales from scores posted to the game's leader boards (a good metric collection tool). This probably overcounts piracy as many folk have dynamic IP addresses, but, at least it is a measure.

As World of Goo's author, Ron Carmel says:

“in our case, we might have even converted more than 1 in a 1000 pirates into legit purchases. either way, ricochet shipped with DRM, world of goo shipped without it, and there seems to be no difference in the outcomes. we can’t draw any conclusions based on two data points, but i’m hoping that others will release information about piracy rates so that everyone could see if DRM is the waste of time and money that we think it is.”

Sharing data is to everyone's benefit.

Some suggested improvements for metrics:

1. Games should, at a minimum, generate a unique identifier on install and include this in any exchanges with a server. This can be used to help (no, this is not perfect), identify computers that are moving around (laptops), behind firewalls, etc.

2. If you use license keys, add that as a separate identifier from the unique platform ID.

3. The piracy rate doesn't matter. Modeling sales does (unless piracy adds an additional cost as SiN Episode 1 found from customer support... downloads & supplementary downloads are also an issue).

4. It would be very interesting to see how this looks for real multi-player games with positive purchase verification for multi-player play or other features of what I call "Rich Interaction Systems".

(There are some additional clever things to do to help track this better...contact me offline).

J. Walker (2008), "World of Goo Vs. Piracy", http://www.rockpapershotgun.com/2008/11/14/world-of-goo-vs-piracy/#more-5102

R. Carroll (2008), "Casual Games and Piracy: The Truth", http://www.gamasutra.com/php-bin/news_index.php?story=17350

Destructoid is reporting that the new Nintendo Wii Speak peripheral ships with a installation code that can only be used once to download the needed software to run the Wii Speak channel.

Sigh.

Why?

Allegedly to prevent used peripheral sales, apparently.

What this does is tether the peripheral to a specific Wii console... until someone hacks the Wii Speak software (or creates a homebrew emulator or creates a keygen program).

In some sense, this is a vote of "NO CONFIDENCE" by Nintendo in Wii Speak. If the service is popular, there is little need to be worried about used peripheral sales.

If Nintendo wanted to prevent Wii Speak peripheral piracy, they could have embedded the activation code in the peripheral itself (with easier use, by the way). This would also make it easier for people to show their Wii Speak to others.

This may be a measure to prevent unauthorized third party Wii Speak peripherals (which makes a bit more sense).

The real question is - what does Nintendo really want for Wii Speak?

B. Nicholson (2008), "Nintendo packing unique codes with WiiSpeak to avoid pre-owned sales", http://www.destructoid.com/nintendo-packing-unique-codes-with-wiispeak-to-avoid-pre-owned-sales-111273.phtml